Slashdot Mirror

← Back to Stories (view on slashdot.org)

Active Directory on Win2k or 2k3?

Posted by Cliff on from the which-is-the-safer-option dept.

lordbry asks: "I am a Windows admin for a major university in a business computing area (if we have problems, people might not get paid). We have a Windows NT Domain, and are planning to migrate to Active Directory. One of my co-workers is pushing for doing this under Windows 2003. I, however, feel that (as with any M$ product) we should not even consider using 2003 for production anything until there is an SP 2 or 3, and that we should go with AD under Windows 2000. Does anyone have any advice, arguments, or horror stories that could help me make my case to the rest of my group, all of whom are somewhere in the middle? Does anyone think that 2003 is the way to go?"

14 of 105 comments (clear)

  1. At my office by secondsun · · Score: 4, Informative

    We went to 2k3 around the time it was released. The response around the office is more or less, "Fuck chevy this thing's a rock".

    Fot shits and giggles we put it on a pentium 2 300 laptop with 300MB of ram, it was stable, fast, and useful. In all honesty it is a great prduct and a worthy successor to 2k.

    --
    There is nothing wrong with being gay. It's getting caught where the trouble lies.
  2. Go with 2003 by Finni · · Score: 4, Informative

    Um. AD using Windows 2003 is the service pack for the version of AD using Windows 2000.
    It's not like they re-wrote it from scratch. Nor is it like AD (using 2000) is entirely new either; it was developed from the backend of Exchange's directory service, if I understand correctly.
    Go with 2003, I haven't read of any particular defects of either AD or the server OS features under 2003, compared to 2000. And yes, things like Volume Shadow Copy, or whatever it's called, may make your life as an admin easier. Certainly, if you're running IIS sites, you'll appreciate the security of IIS 6 more than IIS 5.

  3. Re:Word of advice.. by altp · · Score: 4, Informative

    I've loaded 33,000 into a Windows 2000 AD with some perl scripts I wrote. Takes several hours, but all went well.

    What type of problems did you encounter?

  4. Re:Word of advice.. by eingram · · Score: 3, Informative

    Users and groups permissions started changing randomly for a few hours afterwards. It was not a fun day. I didn't write the script or even execute it, so I don't know why it happened, but I (and a few other IT people) got to clean up the mess.

  5. Its been a while, but... by Omega1045 · · Score: 2, Informative
    As far as applications and security, I would take a serious look at going with Win2k3. It doesn't "turn on" all kinds of services by default like IIS. So after install, you don't have to hunt down as much stuff to turn off (or forget to hunt something down). Also, IIS on Win2k3 lives in something like a sandbox, preventing some of the buffer overflow attacks that have been so common on Windows machines.

    Win2k3t will run you .NET based apps a little better as .NET runtime binding is built into the way applications are executed on Win2k3 and WinXP.

    I only used the betas and release candidates, but they were all very stable and we actually had fewer problems with the than our Win2k machines.

    Just my 2 cents...

    --

    Great ideas often receive violent opposition from mediocre minds. - Albert Einstein

  6. Re:Don't believe the hype. by Jeremiah+Cornelius · · Score: 3, Informative
    CALs (Client Acces Licenses) are priced differently with 2003.

    Owning a 2000 WS or XP Pro license no longer counts as a server CAL for 2003 - you need also to buy a CAL for that station, on top of OS price.

    That said, 2003 is definitely what 2000 was supposed to be. You are worried about service packs? I would look at 2003 as the 3rd rev of 2000. The directory scales better times 1000 - and is massively more flexible in configuration, especially if you are interoperationg with non-MS Kerberos realms. Plus, you get ADAM, constrained and granular delegation of Kerb IDs, a built-in firewall, etc.

    Really, it's hard to know where to start on the advantages.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  7. I think you misunderstand.... by hawkbug · · Score: 1, Informative

    Win2k3 is Win2k SP5 :) No, seriously though - have a look at the version number of the OS sometime. You'll laugh.

    Windows 2000 - Windows NT 5.0
    Windows XP - Windows NT 5.1
    Windows 2003 - Windows NT 5.2

    Something tells me there is nothing ground breaking going on from version to version! In all seriousness though, go with 2003 or you'll be sorry. I say this because it's only going to be a few years I bet before Microsoft drops support for patches for 2K. You don't want to spend a ton of money only to have to do it again very soon for 2003. Also, 2003 is more stable than 2K out of the box, and that counts for something. Driver support is also much better, the ability to roll back drivers, etc.

    1. Re:I think you misunderstand.... by Judg3 · · Score: 3, Informative

      I say this because it's only going to be a few years I bet before Microsoft drops support for patches for 2K.

      Actually, Windows 2000 life cycle is Jun 30th 2005 for mainstream support and Jun 30 2010 for extended support. (By comparison Windows 2003 mainstream is Jun 30 2008 and extended is Jun 30 2013)

      This is from MS.com. Difference between Mainstream and Extended support here.

      --
      Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
  8. Re:I Just Did this Migration by anticypher · · Score: 2, Informative

    Yes, get the DNS correct from the very beginning.

    One of my clients with many DNS servers has finally developed some filters to cut out all the AD crap lookups coming from a handful of poorly designed systems. Its not just a little bit of traffic, it was something like a 25x increase in bogus DNS traffic because a handful of his clients thought they could get away with putting their company name as the TLD or some other misunderstanding of AD.

    Plan on first building a sandbox version of your network, with an external DNS server simulating the entire internet. Monitor the kinds of lookups escaping your network to make sure close to 100% of your traffic stays local. Your local AD and DNS servers should agree on your structure, and the rest of the world should agree on your chosen (assigned) domain name.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  9. Re:Don't believe the hype. by Anonymous Coward · · Score: 4, Informative
    Sorry for posting this anonymously but I cannot legally speak for my company. We are a major worldwide bank and after months of testing (including Microsoft) we went with 2003 and haven't looked back.

    I admit my first reaction was "Global infrastructure on a service pack 0 platform ????" but after spending some time on the system my view changed entirely.

    Go with w2k3. You won't regret it.

    ps I am personally responsible for finding bugs that some of the hotfixes fix ;-)

  10. Re:Don't believe the hype. by weave · · Score: 3, Informative
    Just to throw this out, 2003 server doesn't play nice with kerberos 1.2.7 that is under RHEL 3. What makes it weirder is that it sometimes will auth with some people, and not others. So in a small test environment it will probably work well.

    The problem is that windows 0003 server's kerberos server will use tcp to send out large bits of data, like allegedly when a user is a member of a lot of groups. Kerberos 1.2 only uses udp.

    Kerberos 1.3 (used in Fedora) works just fine. We were able to get the Kerberos 1.3 source RPMs to compile under RHEL 3 but also had to get an updated e2fsprogs rpm and hand do a symlink for a library due to a minor version mismatch.

    OK, this may not apply to you but maybe someone reading this who has their RHEL boxes auth against AD in 2000 server may benefit.

  11. Re:Word of advice.. by Dibblah · · Score: 3, Informative

    Duh. Groups in W2k have only one 'member' attribute. When this gets replicated, the last writer wins.
    What this means is that the groups membership will 'loose' members if you change it in different places and wait for replication.
    This is one reason that 2k3 is better. It fixes this issue.

  12. Depends on your clients by outcast36 · · Score: 2, Informative

    Just thought I'd add my 2 cents. Everyone else is right, 2003 has some nicer features than 2000. If you want to take advantage of a lot of the 2003 features, you're going to need a majority of XP machines. If your client base is all NT4 or 2000, you're not going to see the maximum benefits.

    --
    Technology Consulting & Free Downloads
  13. 2003 all the way by Bravo_Two_Zero · · Score: 2, Informative

    Caveat: We haven't moved from NT4 yet, but...

    This one can go to the bank. Do not go to 2000. Even the Microsoft people (from PSS, no less) say 2003 is the way to go. The list of imporvements for AD (not to mention the other 2003 OS improvements) is staggering.

    Yes, it's true that a M$ product can generally be considered trash until SP2 or SP3, but there are all sorts of known AD issues in 2000 that have been fixed.

    --


    Amateurs discuss tactics. Professionals discuss logistics.